Dell is the latest PC maker with a gaping security flaw, but it will fix it
Lenovo and Samsung might not be the only big Windows PC makers pre-installing software that compromises your security. Computer buyers have discovered that Dell is shipping at least some PCs (such as the new XPS 15) with a self-signed security certificate that's the same on every system. If intruders get a raw copy of the certificate's private key, which isn't hard, they have an easy way to attack every PC shipping with this code. The kicker? This is much like Lenovo's Superfish exploit, only written by the hardware vendor itself -- Dell had plenty of time to learn from its rival's mistake.
What happens next isn't clear. We've reached out to Dell, and it tells us that its engineers are "investigating the current situation." You can read its full statement below. However, it's reasonable to suspect that Dell will either find a way to vary its certificates (so that a hacker can't attack everyone) or eliminate this certificate altogether. It certainly can't afford to maintain the status quo, since it could be exposing millions of people to data thieves.
"Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information."
Update: Dell now says that it's going to yank the certificate (which helps identify your PC to support techs) on all systems from here on out, and it's providing instructions to remove the code on your existing computer. The company adds that it doesn't scoop up personal information, although the concern is more that others could collect that data.
